Beruflich Dokumente
Kultur Dokumente
Buffer Overflow
Exploits: The Why and How
www.mcafee.com
Buffer Overflow
Exploits: The Why and How 2
Table of Contents
Unchecked buffers 3
Exploiting the overflow 3
Now, for the clever part 3
Other types of buffer overflow exploits 4
Preventing buffer overflow exploits 4
Summary 4
www.mcafee.com
Buffer Overflow
Exploits: The Why and How 3
Buffer overflow exploits are the tool of choice of results in denial-of-service. However, in most cases,
today’s attacker. These exploits have the most attackers can do much more. By cleverly
power, are the easiest to use, and are all too constructing the data submitted, attackers can cause
common. Buffer overflows constitute the largest their arbitrary attack code to be executed. This
single threat to enterprises today. attack code can do nearly anything the attacker
• Buffer overflow exploits are very common. There desires, from reformatting the hard drive, to stealing
are hundreds of known unchecked buffers that data, installing backdoor programs, etc.
can be overflowed by hackers with more being
discovered all the time. Over 60% of CERT Computer programs are organized into subroutines.
advisories deal with buffer overflow exploits. The program’s main routine calls each subroutine,
• Buffer overflow exploits are easy to use. Nearly which performs its particular function(s) and then
anyone (12 year olds and script kiddies returns control to the main routine.
included) can download buffer overflow attack
code and follow a simple “recipe” to execute it. Each subroutine, in turn, has to save various pieces
No advanced technical knowledge is necessary of information in order to perform its work.
to run pre-written buffer overflow exploit code. Subroutines use an area of memory called the stack
• Buffer overflow exploits are very powerful. In for storing this information. One of these pieces of
many cases, the malicious code that executes information is the memory address to which the
as a result of a buffer overflow will run with subroutine should return control when it is finished
administrator-level privileges, and therefore can with its work.
do anything it wants to the server.
Subroutines also store temporary data (buffers) on
Unchecked buffers the stack. Each time a subroutine is run, the
required memory is allocated on the stack in a unit
Unchecked buffers enable buffer overflows. called a stack frame. This stack frame includes
Unchecked buffers occur when the programmers space for any buffers the subroutine requires, as
who write an application neglect to check data size. well as the calling routine’s return address. When
In most commonly-used programming languages, the subroutine completes its work, it returns control
buffers to store data are allocated with a fixed size. to the calling routine by jumping to the address
Programmers allocate enough buffer space to store stored in the stack frame, and the stack frame is
“normal” data. Let’s take an example: deleted.
Assume for a moment that you are a programmer in
charge of writing a login routine for an application. Your All of this machinery works perfectly until a stack
routine must accept a user name and password from the buffer overflows. When a user sends 1000
user and determine whether or not to allow the user characters to a 100 character stack buffer, the extra
access. One of the first things you must determine is how 900 characters overwrite adjacent memory in the
much buffer space to allocate for the user name and stack frame, overwriting other buffers and the stack
password buffers. Given that the maximum length of any frame’s return address.
user name for this system is 32 characters, you decide to
allocate 100 characters of buffer memory, which is more Now, when the subroutine attempts to return control
than enough to hold the longest username.
to the main program, it jumps to the address that is
You may erroneously think that since the 100 character stored in the return address portion of the stack
buffer is much larger than the 32 characters that a user frame. Unfortunately, this address has been
would normally submit, this routine is not vulnerable to overwritten by the overflowed buffer and the address
buffer overflow exploits. However, because you neglected is corrupted. When the program tries to jump to a
to check the length of the data submitted before copying it nonexistent address, the program crashes.
into the buffer, this routine can be exploited. An attacker
only needs to send more than 100 characters to this Now, for the clever part
routine, and the buffer will overflow.
If the attacker sends 1000 characters that are
Exploiting the overflow carefully chosen, he or she can control the return
address. Rather than jumping to a non-existent
In the simplest case, an overflowed buffer will cause
address, the attacker can instruct the program to
the application that owns that buffer to crash, which
jump to the address of malicious exploit code. There
are two tasks that must be performed to accomplish
www.mcafee.com
Buffer Overflow
Exploits: The Why and How 4
www.mcafee.com